How to make your staff cybersecurity aware

Follow the author of this article

With cybersecurity becoming increasingly relevant to businesses, ensuring every employee is aware of the implications is paramount.

Security is becoming more personal, with organisations starting to understand the bigger role that individual employees must play in helping to strengthen their organisation’s cybersecurity. Educating your staff is crucial to your SME’s cyber-safety.

“Over the course of a half-hour or hour-long session, get a senior team member (for example, the CTO) to deliver a presentation on emerging cybersecurity threats and how to deal with them.” He adds: “Try to come up with creative ways of illustrating the threat posed by cybersecurity breaches. Do what you can to make the subject matter colourful.”

Start with the basics

“Educating your staff doesn't have to be expensive or time-consuming,” says Chris Wallis from cybersecurity company Intruder, “The most important threat for the majority of staff to be aware of is ‘phishing’, but a quick Google for ‘examples of phishing attacks’ and a quarterly warning email sent round the office would be a good start for most smaller companies,” he says.

Educating your staff is crucial to your SME’s cyber-safety

Mr Wallis suggests checking out resources such as amisafeonline.com, which aims to help individuals raise their own cybersecurity awareness and, for bigger companies, something such as hook.ee, which lets staff attempt to catch each other out with phishing attacks.

Make the training relevant

Staff training needs to be specific to your organisation. “This can range from the importance of hard-to-crack passwords involving lower and upper-case letters, numbers and symbols, which are changed on a regular basis and are only used for your organisation rather than for social media or online shopping accounts, through to confidential waste destruction, encrypting data in emails and attachments, and how to keep paper files secure and confidential when out of the office – and indeed questioning whether paper files actually need to be taken out of the office at all,” says Christian Mancier, data protection and corporate law solicitor at Gorvins Solicitors.

“If employees can relate this to their day-to-day role then they take it in and help reduce the risk of future breaches.”

Hack yourself

Every organisation should be holding regular cybersecurity audits to ensure its procedures are up to scratch. Says Mr Rowles: “We would advocate having your own senior tech experts try to gain access to your systems and data as part of the process.”

Every organisation should be holding regular cybersecurity audits to ensure its procedures are up to scratch

Findings from such investigations can help inform team members at every level of an organisation. Management can learn of vulnerabilities and requirements for updates, while junior team members might be alerted to human errors that lead to security flaws.

Don’t make villains of your staff

Andrew Mills, director of Sheffield-based IT support and cybersecurity company Datamills UK Ltd, says: “It’s all too easy to create an enemy within. Get them on board with initiatives. Even with the best intentions, staff may circumvent systems and procedures that make things slower, but this creates security holes.”

Mr Mills advises: “Work with staff to create a secure environment, tell them you need their help. Help them with personal cybersecurity at home and, as a byproduct, the business will gain an extra level of protection. It’s important to make staff feel they are part of the solution, and not part of the problem.”

Have a universal security policy

One of the most important steps for SMEs is to set out a universal company security policy, written in plain English and avoiding the use of jargon. This policy should form a key part of staff induction – for permanent employees as well as contractors or third-party users of their systems.

All staff should receive regular refresher training on security risks to the company to make sure that best practice is being followed. Paul Everitt, chief executive of ADS (the Aerospace, Defence, Security and Space trade organisation) says: “Cybersecurity procedures should be treated just as importantly as health and safety has been in recent decades.

“Advice to staff on cybersecurity should be clear, easy to access and regularly updated to make sure all staff are completely up to speed on company expectations and the latest best practice.”